Foundations of Abstract Interpretation

Size: px

Start display at page:

Download "Foundations of Abstract Interpretation"

Cecily Gaines
5 years ago
Views:

1 Escuela 03 II / 1 Foundations of Abstract Interpretation David Schmidt Kansas State University

2 Escuela 03 II / 2 Outline 1. Lattices and continuous functions 2. Galois connections, closures, and Moore families 3. Soundness and completeness of operations on abstract data 4. Soundness and completeness of execution trace computation

3 Escuela 03 II / 3 Data sets are complete lattices A complete lattice is a partially ordered set, with unique minimal and maximal elements, and with greatest-lower-bound and least-upper-bound operations: top all notpos notneg {notpos, notneg} = zero neg zero pos {zero, notpos, notneg} = all { } = all bottom none { } = none

4 Escuela 03 II / 4 Here is a more precise definition: A complete lattice, L = D,,,,,, consists of a set, D, and a partial ordering,, on D a smallest element, (such that d, for all d D) and a greatest element, (such that d, for all d D) a least upper bound operation,, such that, for all S D, d S, for all d S, and for all other upper bounds, c D, such that d c, for all d S, we have that S c a greatest lower bound operation,, defined dually to the above: S d, for all d S, and when c d, for all d S, we have that c S

5 Escuela 03 II / 5 The first example is the complete lattice, (Int),, { }, Int,, ; the next two are abstractions of it: {..., 1,0,1,2,... } all { 0,1,3,6,10,... } notpos notneg {..., 1,0 } { 2, 1,0,1,2,3 } { 1,3,5,... } neg zero none pos { 1,0 } { 1 } { 1,1 } { 1, 3 } { 0 } { 1 } any { } even odd none

6 Escuela 03 II / 6 Monotonic and chain-continuous functions Given complete lattices, A and B, we say that a function, f : A B, is monotonic iff for all a, a A, a A a implies f(a) B f(a ) A monotonic function preserves the precision of information in its argument. Say that we have an ω-chain, a 0 A a 1 A... A a i A a i+1 A... A function, f : A B, is ω-continuous iff i 0 f(a i ) = f( i 0 An ω-continuous function preserves the limit of information in a a i ) chain. Conventional computation employs monotonic and ω-continuous functions, so it is no restriction to use only them.

7 Escuela 03 II / 7 Galois connections Given a complete lattice of concrete (execution) data, C, and a simpler complete lattice of abstract data, A, we relate the two by α : C A that will act like a homomorphism when we study the operations on C. It will be useful that α have an inverse,, γ: Definition: For complete lattices C and A, and monotonic functions, α : C A, γ : A C, the pair, α, γ form a Galois connection, written C α, γ A, iff c C γ α(c) and α γ(a) A a. γ α

8 Escuela 03 II / 8 The maps α and γ are inverse maps on each other s image: { 0,1,2,... } γ any { 0,1,3,6,10,... } { 0,2,4,... } { 0,1,...,9 } { 1,3,5,... } α even odd { 0, 2 } { 0 } { 0, 1 } { 2 } { 1 } { 1, 3 } none { } That is, for all c γ[a], c = γ α(c); for all a α[c], a = α γ(a). α is ω-continuous (and even preserves for arbitrary sets in C); γ preserves for arbitrary sets in A. Each map uniquely defines the other: γ(a) = {c α(c) A a} and α(c) = {a c C γ(a)}

9 Escuela 03 II / 9 The previous fact suggests this alternative characterization of Galois connection: Proposition: For complete lattices C and A, the pair, α : C A, γ : A C, is a Galois connection when, for all c C and a A, c C γ(a) iff α(c) A a. γ ( a ) c iff a α (c) From this definition, we can prove that both α and γ are monotonic, that c C γ α(c), and that α γ(a) A a.

10 Escuela 03 II / 10 Galois connections are closed under composition, product, and so on: If C α, γ D and D α, γ E are Galois connections, then so is C α α, γ γ E If C i α i, γ i D i is a Galois connection, for all i I, then so is Π i I C i Π i I α i, Π i I γ i Π i I D i. If C α C, γ C C and D α D, γ D D are Galois connections, then so is C D (λf.α D f γ C ), (λf.γ D f α C ) C D. {..., 1,0,1,2,... } {..., 2, 1,0 } { 0,1,2,3,... } { 1,0,1,...,9 } { 0, 1 } { 0, 1 } { 1, 3 } { 1 } { 0 } { 1 }... { } all notpos notneg neg neg zero pos none Composition of Galois connections all none notneg

11 Escuela 03 II / 11 Why do we require the elaborate structure of a Galois connection? 1. If we are certain about the precise definition of γ : A C, we can mechanically synthesize the its adjoint, α(c) = {a c C γ(a)}. (Or, dually, if we are certain about α, we can synthesize γ as γ(a) = {c α(c) A a}. ) 2. We obtain many mathematical properties about α, expressed in terms of its adjoint, γ (and vice versa). 3. Since we intend to use α : C A as a homomorphism from C to A, we can use α and its adjoint γ to synthesize abstract operations: For each f : C C, we can synthesize f # : A A, such that α is a homomorphism with respect to f and f #. (We will see that f # = α f γ.)

12 Escuela 03 II / 12 Closure maps For C α, γ A, it is common that α is onto. This means A embeds into C as a sublattice: { 0,1,2,... } any { 0,1,3,6,10,... } { 0,2,4,... } { 0,1,...,9 } { 1,3,5,... } even odd { 0, 2 } { 0 } { 0, 1 } { 2 } { 1 } { 1, 3 } none { } A s elements are mere tokens that name distinguished sets in C. Definition: ρ : C C is a closure map if it is (i)monotonic; (ii)extensive: c C ρ(c), for all c C; (iii)idempotent: ρ ρ = ρ.

13 Escuela 03 II / 13 A closure map defines the embedding: { 0,1,2,... } { 0,1,3,6,10,... } ρ {0,2} = {0,2,4,...} { 0,2,4,... } { 0,1,...,9 } { 1,3,5,... } ρ {0,2,4,...} = {0,2,4,...} { 0, 2 } { 0, 1 } { 1, 3 }... ρ {0,1,...,9} = {0,1,2,...} { 0 } { 2 } { 1 }... { } Every Galois connection, C α, γ A, defines a closure map, γ α. Every closure map, ρ : C C, defines the Galois connection, C ρ, id ρ[c].

14 Escuela 03 II / 14 Moore families Given C, can we define a closure map on it by choosing some elements of C? The answer is yes, if the elements of C we select are closed under greatest-lower-bounds: Definition: M C is a Moore family iff for all S M, ( S) M. We can define a closure map as ρ(c) = {c M c C c }. For a closure map, ρ : C C, its image, ρ[c], is a Moore family. Given C, we can define an abstract interpretation by selecting some M C that is a Moore family!

15 Escuela 03 II / 15 Closed binary relations Often a Galois connection uses a powerset for its concrete domain, that is, (D) α, γ A. This format yields a simple characterization: Given unordered set D and complete lattice A, it is natural to relate the elements in D to those in A by a binary relation, R D A, such that (d, a) R means d has property a. We write this as d R a or as d = R a. Example: D = Int, and A = {none, neg, pos, zero, nonneg, nonpos, any}. Then, 2 R nonneg, 2 R pos, and 2 R any. (Or we write, 2 = R nonneg, 2 = R pos, and 2 = R any.) We immediately define the function, γ : A (D), as γ(a) = {d D d R a} For example, γ(nonneg) = {0, 1, 2,...}.

16 Escuela 03 II / 16 We can check if γ is the upper adjoint of a Galois connection, say, by showing that γ[a] defines a Moore family. But we can check for this directly upon R: Proposition: R D A defines a Galois connection between (D) and A iff (i) R is U-closed: c R a and a A a imply c R a ; (ii) R is G-closed: c R {a c R a}. If R defines a Galois connection, then we have this crucial property: for all a A and C (D), C γ(a) iff α(c) A a iff (c R a, for all c C). This is of course the definition of a Galois connection, and in this sense, R is a Galois connection.

17 Escuela 03 II / 17 A recipe for abstract-domain building Given an unordered set, D, of concrete data values, we might ask, What are the properties about D that I wish to calculate? Can I relate these properties, a A, to elements d D via a UG-closed binary relation, R D D A? Given a set, A, and relation, R D D A, 1. Define γ : A (D) as γ(a) = {d d R D a}. 2. Define this partial ordering on A: a a iff γ(a) γ(a ). (If there are distinct a, a A such that γ(a) = γ(a ), then merge them.) This forces U-closure. 3. Ensure that γ[a] is a Moore family by adding greatest-lower-bound elements to A as needed. This forces G-closure. 4. Use the existing machinery to define the Galois connection between (D) and A.

18 Escuela 03 II / 18 Example: Abstracting the Program State The concrete storage vector is a product, Store = Π i Identifier Data and the concrete program state is a ProgramPoint Store pair. Example: p 1, x : 3, y : 4 is a program state. Say that we have the relation, R Data Data AbsData, and we have the induced Galois connection, (Data) α Data, γ Data AbsData. Now, we can build Galois connections that abstract the store and the state. A concrete store is related to an abstract store: x i : v i i Id R Store x i : a i i Id, iff, for all i Id, v i R Data a i Example: x : 3, y : 4 R Store x : any, y : even. This produces a Galois connection, (Store) α Store, γ Store AbsStore,

19 Escuela 03 II / 19 where AbsStore = Π i Identifier AbsData and γ x i : a i i Id = { x i : v i i Id v i γ Data (a i ), for all i Id} α Store (S) = s S α(s(i)) i Id For example, γ Store x : even, y : odd = { x : 0, y : 1, x : 0, y : 3, x : 2, y : 1,...} A program point is abstracted to itself: p R PP p, suggesting that the abstract domain of program points might be merely AbsPP = ProgramPoint {, }. ( and are needed to make AbsPP a complete lattice.) Finally, we can relate a concrete state to an abstract one: p, s R State p, σ iff p R PP p and s R Store σ Hence, γ State (p i, σ) = {p i, s s γ Store (σ)}.

20 Escuela 03 II / 20 Concrete and abstract operations Now that we know how to model c C by α(c) A, we must model concrete computation steps, f : C C, by abstract computation steps, f # : A A. Example: We have concrete domain, Nat, and concrete operation, succ : Nat Nat, defined as succ(n) = n + 1. We have abstract domain, Parity, and abstract operation, succ # : Parity Parity, defined as succ # (even) = odd, succ # (any) = any, succ # (odd) = even succ # (none) = none succ # must be consistent (sound) with respect to succ: if n R Nat a, then succ(n) R Nat succ # (a) where R Nat Parity relates numbers to their parities (e.g., 2 R Nat even, 5 R Nat odd, etc.).

21 Escuela 03 II / 21 We want soundness: n R Nat a implies succ(n) R Nat succ # (a), for all n Nat and a Parity. Since we have the Galois connection, (Nat) α, γ Parity, we know that γ(a) = {n n R Nat a}. So, soundness is stated equivalently as for all a A, for all n γ(a), succ(n) γ(succ # (a)) and this is equivalent to saying, for all a A, succ (γ(a)) Nat γ(succ # (a)) that is, for all a A, (succ γ)(a) Nat (γ succ # )(a) where succ : (Nat) (Nat) is succ (S) = {succ(n) n S}. This is interesting, because it states a commutative, semi-homorphism property...

22 Escuela 03 II / 22 Definition: For Galois connection, C α, γ A, and functions f : C C, f # : A A, f # is a sound approximation of f iff (α f)(c) A (f # α)(c), for all c C iff (f γ)(a) C (γ f # )(a), for all a A This slightly abstract presentation exposes that α is a semi-homomorphism with respect to f and f # : α c α ( c ) f f # α f( c ) α ( f( c ) ) f # ( α ( c ) )

23 Escuela 03 II / 23 Example 1: n R Nat a implies succ(n) R Nat succ # (a) Galois connection: (Nat) α, γ Parity succ : (Nat) (Nat) succ (S) = {succ(n) n S} where succ(n) = n + 1 succ # : Parity Parity succ # (even) = odd, succ # (odd) = even succ # (any) = any, succ # (none) = none We have that α succ = succ # α: {2,6} α succ * {3,7} α odd even odd succ #

24 Escuela 03 II / 24 Example 2: n R Nat a implies div2(n) R Nat div2 # (a) Galois connection: (Nat) α, γ Parity div2 : (Nat) (Nat) div2 (S) = {div2(n) n S} where div2(2n + 1) = div2(2n) = n div2 # : Parity Parity div2 # (even) = div2 # (odd) = any div2 # (any) = any, div2 # (none) = none We have that α div2 Parity div2 # α: α {6} div2 * even div2 # α {3} odd any

25 Escuela 03 II / 25 Synthesizing f # from f The previous slides show how α acts as a semi-homomorphism between f and f #. Given the Galois connection, C α, γ A, and operation, f : C C, the most precise f # best : A A that is sound with respect to f is f # best = α f γ Proposition: f # is sound with respect to f iff f # best A A f #. (Note: f A A g iff for all a A, f(a) A g(a).) Of course, f # best has a mathematical definition not an algorithmic one f # best might not be finitely computable! Parity example continued: succ # best (even) = α succ (γ even) = α(succ {2n n 0}) = α{2n + 1 n 0} = odd

26 Escuela 03 II / 26 One more example: Given (Nat) α, γ Parity and div2 : Nat Nat, we have div2 : (Nat) (Nat) div2 (S) = div2[s] = {div2(n) n S} Hence, div2 # best = α div2 γ. The operation loses precision: α(div2 {4}) = α{2} = even, but div2 # best (even) = α(div2 (γ(even))) = α(div2 {0, 2, 4,...}) = α{1, 2, 3,...} = any Nonetheless, this is the best we can do, given the crude structure of the abstract domain, Parity.

27 Escuela 03 II / 27 Completeness Given C α, γ A, we state soundness of f # with respect to f as α f A A f # α iff f γ C C γ f # Definition: f # is forwards (γ) complete with respect to f iff f γ = C C γ f # Definition: f # is backwards (α) complete with respect to f iff α f = A A f # α The two completeness notions are not equivalent! For an f # to be (forwards or backwards) complete, it must equal f # best = α f γ. Indeed, the structure of the Galois connection and f : C C determines whether f # best is complete.

28 Escuela 03 II / 28 Forwards (γ) completeness: f # best is forwards-complete iff f maps image points of γ to image points of γ f(γ[a]) γ[a]. f f Backwards (α) completeness: f # best is backwards-complete iff f maps all points in the same α-equivalence class to points in the same α-equivalence class α(c) = α(c ) implies α(f(c)) = α(f(c )). f

29 Escuela 03 II / 29 Transfer functions generate computation steps Each program transition from program point p i to p j has an associated transfer function, f ij : C C (or f # ij : A A), which describes the associated computation. This defines a computation step of the form, p i, s p j, f ij (s). Example: Assignment p 0 : x = x + 1; p 1 : has the transfer function, f 01...x : n... =...x : n For example, p 0, x : 3 p 1, f 01 x : 3 = p 1, x : 4. For modelling multiple transitions in conditional/nondeterministic choice, we attach a transfer function to each possible transition. p 0 : cases x y: p 1 : y = y - x; Example: For y x: p 2 : x = x - y; end

30 Escuela 03 II / 30 For p 0 : cases x y: p 1 : y = y - x; y x: p 2 : x = x - y; end we have these functions: s if s.x s.y f 01 (s) = otherwise s if s.y s.x f 02 (s) = otherwise For example, p 0, x : 5, y : 3 p 1,, because x y, but p 0, x : 5, y : 3 p 2, x : 5, y : 3, because y x. The transfer functions filter the data that arrives at a program point. We ignore computation steps, p, s p,, that produce no data ( ). An execution trace is a (possibly infinite) sequence, p 0, s 0 p 1, s 1 p j, s j, such that, for all i 0: p i, s i p succ(i), f i,succ(i) (s i ) no s i equals.

31 Escuela 03 II / 31 Using the f # s to build sound, abstract trace trees p 0 : while (x!= 1) { p 1 : if Even(x) p 2 : then x = x div2; p 3 : else x = 3*x + 1; } p 4 : exit Note: p i, v abbreviates p i, x : v Abstract overapproximating trace: p 4, odd p 0, even p 1, even p 2, even p 0, any p 3, odd p 1, any Two concrete traces: p 0, 4 p 1, 4 p 2, 4 p 0, 2 p 1, 2 p 2, 2 p 0, 1 p 4, 1 p 0, 6 p 1, 6 p 2, 6 p 0, 3 p 1, 3 p 2, 3 p 0, 10 p 4, 1 Each concrete transition is generated by an f ij ; each abstract transition is generated by the corresponding f # ij.

32 Escuela 03 II / 32 Each concrete transition, p i, s p j, f ij (s), is reproduced by a corresponding abstract transition, p i, a p j, f # ij (a), where s γ(a). For example, p 2 : x = x div2 is interpreted concretely by f 20 (2n) = n = f 20 (2n + 1) and is interpreted abstractly by f # 20 (even) = any = f# 20 (odd) = f# 20 (any). The traces embedded in the abstract trace tree cover (simulate) the concrete traces, e.g., this concrete trace, p 0, 4 p 1, 4 p 2, 4 p 0, 2 p 1, 2 p 2, 2 p 0, 1 p 4, 1 is simulated by this abstract trace, which is extracted from the abstract computation tree: p 0, even p 1, even p 2, even p 0, any p 1, any p 2, even p 0, any p 4, odd and indeed, all concrete traces starting with p 0, 2n, n >= 0, are simulated by the abstract tree in this manner.

33 Escuela 03 II / 33 Proof of soundness of trace construction For S C and a A, say that S R a iff S C γ(a) iff α(s) A a. Lemma: α f A A f # α iff f γ C C γ f # iff S R a implies f(s) R f # (a). Theorem: For every concrete trace, (p i, s i ) i 0, there exists an abstract trace, (p i, a i ) i 0, such that for all i 0, {s i } R a i. Proof: We use the Lemma and induction to assemble this diagram: p 0, s 0 p 1, f 0 (s 0 ) = p 1, s 1 p 2, f 1 (s 1 ) = p 2, s 2 p i, s i R R R R p 0, a 0 p 1, f # 0 (a 0) = p 1, a 1 p 2, f # 1 (a 1) = p 2, a 2 p i, a i (Note: each s i in the diagram is more precisely stated as {s i }, because C = (Store).) Due to imprecision of the f # s, the abstract trace tree may possess many traces that begin with p 0, a 0, but there is always one trace in the tree that simulates the concrete trace.

34 Escuela 03 II / 34 When all the operations, f # ij, are complete with respect to the f ijs, the previous result is strengthened: Say that S R a iff α(s) = a. (Similarly, say that S R a iff S = γ(a).) In both cases, the lemma holds: Lemma: α f = A A f # α iff S R a implies f(s) R f # (a). (Similarly, f γ = C C γ f # iff S R a implies f(s) R f # (a).) Theorem (α-completeness): When S R a iff α(s) = a, then for every concrete trace, (p i, s i ) i 0, there exists an abstract trace, (p i, a i ) i 0, such that for all i 0, {s i } R a i. Theorem (γ-completeness): When S R a iff γ(a) = S, S Store, then for every trace on sets of stores, (p i, S i ) i 0, there exists an abstract trace, (p i, a i ) i 0, such that for all i 0, S i R a i.

35 Escuela 03 II / 35 References P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. ACM POPL P. Cousot and R. Cousot. Systematic design of program analysis frameworks. ACM POPL, P. Cousot. Slides for invited lecture at VMCAI 2003, New York City. R. Giacobazzi, F. Ranzato, and F. Scozzari. Making abstract interpretations complete. Journal ACM 47(2) R. Giacobazzi and E. Quinterelli. Incompleteness, counterexamples, and refinements in abstract model-checking. SAS 2001, Springer LNCS D. Schmidt. Structure-preserving binary relations for program abstraction. In The Essence of Computation: Complexity, Analysis, Transformation. Springer LNCS 2566, 2002.

Static Analysis: Applications and Logics

Escuela 03 IV / 1 Static Analysis: Applications and Logics David Schmidt Kansas State University www.cis.ksu.edu/~schmidt Escuela 03 IV / 2 Outline 1. Applications: abstract testing and safety checking